Previous Top News: 2009

EPIC Seeks Facebook Communications Detailing Privacy ChangesEPIC filed a Freedom of Information Act (FOIA) request with the Federal Trade Commission (FTC), seeking communications with Facebook discussing the site’s recent privacy changes. In November and December 2009, Facebook made several changes to the website’s privacy policy and settings. In response to these changes, which no longer allow users to control the visibility of certain types of information, EPIC submitted a complaint to the FTC, alleging Facebook is engaging in “unfair and deceptive practices.” Facebook spokespersons issued a statement shortly after the complaint was filed, asserting, “We discussed the privacy program with many regulators, including the F.T.C., prior to launch.” EPIC requested documents pertaining to the communications Facebook allegedly had with the federal agency. For more information, see EPIC: In re Facebook. (Dec. 29, 2009)

President Obama Issues Order Regarding Classification PracticesPresident Obama has issued a new executive order regarding Classified National Security Information. President Obama's classified information order establishes a National Declassification Center to streamline the declassification process and sets timetables for declassification. The order states that "No information may remain classified indefinitely." The order also reverses an order by President George W. Bush that had allowed the intelligence community to block the release of a specific document, even if an interagency panel decided the information wouldn't harm national security. The new order prohibits agencies from classifying documents after the fact and also prohibits the withholding of documents that were created by one agency but are being held by another, which should assist EPIC's pending Freedom of Information Act request to the National Security Agency regarding NSPD 54, a classified Directive that describes a NSA program to monitor American computer networks. EPIC's request was previously denied by the NSA because NSPD 54 “did not originate with” the NSA. For more information see EPIC: Open Government. (Dec. 29, 2009)

EPIC Files Lawsuit for Information about "Digital Strip Search" DevicesOn December 17, 2009, EPIC filed a lawsuit against the Department of Justice concerning the use of devices that capture images of individuals stripped naked. The Transportation Security Administration has confirmed the Whole Body Imaging machines are being used in at least one Virginia federal court by the US Marshal Service. EPIC submitted a FOIA request for information about these devices including the contracts with the manufacturer of the machines, and information about technical specifications and training materials. The Marshal Service failed to respond adequately to the request. EPIC filed suit, said that the agency had not performed a sufficient search and should disclose the documents requested. For more information, see EPIC's Open Government Page and Whole Body Imaging Page. (Dec. 18, 2009)

EPIC's Lillie Coney Appointed to Election Advisory CommitteeHouse Speaker Nancy Pelosi appointed EPIC Associate Director and leading election reform advocate, Lillie Coney to the Election Assistance Commission (EAC) Board of Advisors. EAC is an independent, bipartisan commission charged with developing guidance to meet Help America Vote Act requirements, adopting voluntary voting system guidelines, and serving as a national clearinghouse of information about election administration. The EAC also accredits testing laboratories and certifies voting systems, as well as audits the use of HAVA funds. Ms. Coney leads EPIC’s voting project and has worked on developing voting technology standards, statewide-centralized voter registration systems with privacy safeguards, and voter identification policy. For more information, see EPIC: Lillie Coney and EPIC’s Voting Privacy Page. (Dec. 17, 2009)

House Passes Data Breach BillToday, legislators passed the Data Accountability and Trust Act, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. The bill now moves to the Senate, which is also considering a similar measure sponsored by Senator Patrick Leahy. In May, EPIC Director Marc Rotenberg testified before Congress, urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. TFor more, see EPIC Identity Theft. (Dec. 11, 2009)

FTC Considers Emerging Privacy Concerns at First Privacy RoundtableThe Federal Trade Commission held the first of three privacy roundtables this week in Washington, DC. The well-attended event featured privacy and security experts from around the country, with each panel consisting of at least one industry representative and one privacy advocate. The failure of the current notice and choice model, the need to regulate behavioral targeting, concerns about government access to data, and the high privacy expectations of consumers were among recurring topics throughout the day. EPIC's Marc Rotenberg said it was important for the Commission to focus on emerging business practices and the impact on consumer privacy. The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law. The FTC welcomes comments from the public in advance of the roundtable. (Dec. 9, 2009)

Google Expands Control of Internet ArchitectureGoogle has announced Google Public DNS, which will route all requests for internet addresses, a core Internet function, through Google's servers. These requests would normally only pass through the servers of the users' internet service providers. Google's DNS service does not use the new authentication standard DNSSEC, but instead uses a proprietary security method. By tradition, DNS is a distributed function, subject to an open standard-setting process. For more information, see EPIC DNSSEC. (Dec. 8, 2009)

Facebook to Drop Regional Networks, Change Privacy SettingsFacebook announced that it intends to eliminate regional networks, which allow users to restrict information shared with others based geography. The social networking service will also modify the site's privacy settings and require users to update the rules governing who can access their data. In February, revisions to Facebook's terms of service prompted users to revolt and Facebook to rescind the changes hours before EPIC planned to file a complaint with the Federal Trade Commission. Prior changes to the service resulted in disclosure of Facebook users' video rental records without their permission, prompting federal lawsuits. For more, see EPIC Facebook Privacy and Social Networking Privacy (Dec. 4, 2009)

Defense Department Pulls Parental Control Software Product Following EPIC ComplaintDocuments obtained by EPIC, pursuant to a Freedom of Information Act
(FOIA) request, revealed the Defense Department canceled a contract
with Echometrix, following an EPIC complaint to the Federal
Trade Commission earlier this year. According to the documents
obtained by EPIC, the Army and Air Force Exchange Service
pulled My Military Sentry, which collects data for marketing
purposes, from its online store: “The collection of AAFES customer
information (personal or otherwise) for any other purpose than to
provide quality customer service is prohibited . . . . Giving our
customers the ability to opt out does not address this issue.” For
more information, see EPIC: In re Echometrix. (Dec. 4, 2009)

EPIC Files Appeal for NSA Policy on Network SurveillanceToday, EPIC filed a Freedom of Information Act appeal,
seeking disclosure of NPSD 54, the classified Directive that
describes a National Security Agency program to monitor American
computer networks. EPIC submitted the original request to shed light
on the extent of the federal government's surveillance of civilian
computer systems, but the agency refused to disclose the document.
EPIC's appeal warns that the NSA’s improper withholding of the
Directive "flatly contravenes" the President's policy on open
government and "explicit FOIA guidance promulgated by the
Attorney General." EPIC further stated, without public disclosure
of the Directive, "the government cannot meaningfully make assurances about
the adequacy of privacy and civil liberties safeguards." For more
information, see EPIC Open Government. (Nov. 24, 2009)

President Obama Nominates Brill and Ramirez for Federal Trade CommissionPresident Obama nominated Julie Brill and Edith Ramirez to be commissioners of the Federal Trade Commission. Brill, North Carolina’s top consumer advocate, serves as the senior deputy attorney general and chief of consumer protection and antitrust for the North Carolina Department of Justice. Ramirez, who specializes in intellectual property and complex litigation matters, is a partner in a Los Angeles, California law firm and has experience representing companies such as Mattel, Inc. and Northrop Grumman Corp. In a press release, President Obama stated, “These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well. I look forward to working with them in the months and years ahead.” (Nov. 17, 2009)

Privacy Legislation Moves Forward in SenateThe Senate Judiciary Committee approved bipartisan legislation aimed at improving cybersecurity. The Personal Data Privacy and Security Act would establish a national standard for data breach notification and would require companies with databases containing sensitive personal information to establish data privacy and security programs. The bill was drafted in response to the growing number of Internet crimes in recent years. According to Senator Leahy (D-VT), who authored the bill, this legislation “strikes the right balance to protect privacy, promote commerce, and successfully combat identity theft.” The bill has been sent to the Senate for consideration. (Nov. 10, 2009)

EPIC Urges Court to Enforce Video Privacy LawToday, EPIC filed a friend of the court brief with the Fifth Circuit Court of Appeals, urging the Court to enforce federal privacy protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. The Video Privacy Protection Act prohibits companies from revealing consumers' video rental histories. EPIC wrote, "Congress established a private right of action to ensure that there would be a meaningful remedy when companies failed to safeguard the data they collected" and warned, "absent a private right of action, there would be no effective enforcement, no remedy for violations, and no way to ensure that companies complied with the intent of the Act." The lawsuit was filed by Cathryn Harris and other Facebook users after Blockbuster made public their private video rental information. Blockbuster, a participant in Facebook's Beacon program, claimed that consumers cannot sue the company and must submit to mandatory arbitration. EPIC's brief, which includes a detailed history of the video privacy law, urges the appeals court to uphold a lower court ruling, which held that the plaintiffs are allowed to pursue their claim that a federal law was violated. For more information, see EPIC Harris v. Blockbuster, EPIC The Video Privacy Protection Act, and EPIC Facebook Privacy. (Nov. 4, 2009)

Civil Society Groups and Privacy Experts Release Madrid Declaration, Reaffirm International Privacy Laws, Identify New Challenges and Call for Concrete Action to Safeguard PrivacyIn a crisply worded declaration, over 100 civil society organizations and privacy experts from more than 40 countries have set out an expansive statement on the future of privacy. The Madrid Declaration affirms that privacy is a fundamental human right and reminds "all countries of their obligations to safeguard the civil rights of their citizens and residents." The Madrid Declaration warns that "privacy law and privacy institutions have failed to take full account of new surveillance practices." The Declaration urges countries "that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible." The civil society groups and experts recommend a "moratorium on the development or implementation of new systems of mass surveillance." Finally, the Declaration calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." The Madrid Declaration was released at the Public Voice conference in Madrid on Global Privacy Standards. Multiple translations of the Declaration are available. (Nov. 3, 2009)

Public Voice Hosts Global Privacy Conference in MadridAlmost two hundred privacy experts, advocates, and governments officials from around the world gathered in Madrid for the "Global Privacy Standards" conference, organized by the Public Voice. The event features panel discussions on “Privacy and Human Rights: The Year in Review,” "Privacy Activism: Major Campaigns," “Your Data in the Cloud: What if it Rains?,” "Transborder Data Flow: Bridges, Channels or Walls?," and "“Toward International Privacy Standards." Leading privacy officials from Spain, the European Union, the European Parliament, the OECD, and Canada are participating. The event is being held in conjunction with the annual meeting of the Privacy and Data Protection Commissioners, which is expected to draw more than 1,000 participants from over fifty countries. The Public Voice event will also be cybercast and tweeted. @thepublicvoice #globalprivacy. (Nov. 3, 2009)

Study Finds that Children’s Privacy has been CompromisedA Fordham Law Schoolstudy found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see EPIC Children’s Online Privacy Protection Act and EPIC DOD Recruiting Database. (Nov. 2, 2009)

House Committee to Consider Data Breach BillOn September 30, the House Energy and Commerce Committee will consider a proposed federal law that would establish national standards for data breaches notifications. The Data Accountability and Trust Act (DATA) also regulates information brokers and requires companies to adopt security policies. The Senate is considering a similar bill that protects additional categories of consumer information. In May, EPIC testified before Congress on the DATA bill, highlighting the importance of regulating data brokers, but warning of the dangers posed by federal laws that preempt stronger state privacy safeguards. In May, President Obama stated that "executive departments and agencies should be mindful that in our Federal system, the citizens of the several States have distinctive circumstances and values, and that in many instances it is appropriate for them to apply to themselves rules and principles that reflect these circumstances and values." For more information, see EPIC Identity Theft. (Sep. 29, 2009)

EPIC to FTC: "Parental Control" Software Firm Gathers Data for MarketingEPIC filed a complaint with the Federal Trade Commission against Echometrix, the developer of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. For more information on the Children’s Online Privacy Protection Act, see EPIC COPPA. (Sep. 29, 2009)

Department of Justice Limits Use of State Secrets PrivilegeToday, the Department of Justice announced a new policy that limits the government’s use of the state secrets privilege. The state secrets privilege is a rule of evidence intended to prevent genuine matters of national security from being disclosed in open court. However, recently it has been misused by both the Bush and Obama administrations in order to derail litigation completely. For instance, in 2007 EPIC filed a “friend-of-the-court” brief in a warrantless wiretapping case, Hepting v. United States, in which the government argued that the case should be dismissed because it would reveal “state secrets.” Under the new policy, the privilege will be invoked only "to the extent necessary to protect against the risk of significant harm to national security." The Attorney General will also have to approve each determination. The State Secret Protection Act of 2009, legislation with a similar purpose, is now pending in Congress. For more information, see EPIC Open Government. (Sep. 23, 2009)

EPIC Reminds Homeland Security Agency to Publish Privacy ReportIn a letter to the Chief Privacy Officer of the Department of Homeland Security, EPIC asked when the annual privacy report will be made available. The Department is required by law to provide an annual report "on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters." The last privacy report was published in July 2008. EPIC has previously sent similar letters to the Department, reminding the agency of its legal obligation to inform the public about its activities. For more information, see EPIC’s Privacy Report Held Hostage page. (Sep. 22, 2009)

Office of Legal Counsel Reaffirms Legality of Einstein 2.0The Office of Legal Counsel has released two opinions regarding Einstein 2.0, the federal cyber-security initiative that monitors network activity. The Bush administration opinion concluded that Einstein 2.0 complied with the Constitution and applicable federal laws, provided that users are properly warned that it is operating. The Obama administration opinion, signed August 14, 2009, concurred with the earlier opinion, and also concluded that the system does not violate “state wiretapping or communications privacy laws.” EPIC has stated that Einstein should be subject to the Privacy Act. Also, documents previously obtained by EPIC under the Freedom of Information Act revealed that network monitoring tools often exceed their legal authority. For more information, see EPIC Carnivore (FBI tracking tool). (Sep. 21, 2009)

EPIC Pursues DHS Official's Public CalendarEPIC has filed a FOIA appeal with the Department of Homeland Security for the calendar of the Chief Privacy Officer. EPIC submitted the original request to find out why the DHS Privacy Officer could not meet with privacy groups in Washington, DC. The agency turned over many pages from the calendar, but the entries were all blacked out. In the appeal, EPIC said the agency has failed to comply with the open government law and also cited the President's commitment to government transparency concerning the activities of public officials. For more information, see EPIC Open Government. (Sep. 18, 2009)

Indiana Court Strikes Down State Voter ID LawYesterday, the Indiana Court of Appeals ruled that the Indiana Voter ID law, which requires certain individuals to present government-issued photo identification before they could vote, violates the state Constitution. The law is unconstitutional, the court held, because it “regulates voters in a manner that is not uniform and impartial.” The United States Supreme Court previously ruled that the law did not violate the federal Constitution, but did not address the law’s validity under the Indiana Constitution. EPIC and ten legal scholars and technical experts filed a “friend-of-the-court” brief in that case, urging the Court to invalidate the law because of its disparate impact and its reliance on REAL-ID, a "flawed federal identification system.” For more information, see Crawford v. Marion County Election Board and EPIC Voting Privacy. (Sep. 18, 2009)

Massachusetts Supreme Court Requires Warrant for GPS TrackingToday, the Massachusetts Supreme Judicial Court ruled that police must obtain a warrant before using GPS devices to monitor vehicles, as it constitutes a seizure under the Massachusetts Constitution. The court also imposed time limits on GPS monitoring, ruling that warrants will expire fifteen days after they are issued. A concurring opinion raised the issue of whether the use of a GPS is a "seizure" or a "search." EPIC filed a “friend of the court” brief (pdf) in the case, urging the court to adopt a warrant requirement. For more information, see EPIC Commonwealth v. Connolly. (Sep. 17, 2009)

Administration Announces Cloud Computing Initiative, but Privacy Umbrella MissingChief Information Officer Vivek Kundra announced the launch of “Apps.gov”, a website where federal agencies can obtain cloud-based IT services. The initiative is aimed at "lowering the cost of government operations while driving innovation." Currently, the administration's main goal is to increase the size and scale of cloud computing, but key concerns, such as security and privacy, have received little attention. In March, EPIC filed a complaint with the FTC urging the agency to open and investigation into Cloud Computing services, such as Google Docs, to determine "the adequacy of the privacy and security safeguards." Subsequently, thirty-eight computer security researchers and privacy academics sent a letter to Google's CEO, asking Google to uphold privacy promises made to users of Google Cloud Computing services. The FTC investigation is ongoing; no response has been received from Google. For more information, see EPIC's page on “Cloud Computing”. (Sep. 17, 2009)

Federal Trade Commission to Host Privacy RoundtablesThe Federal Trade Commission has announced a series of roundtables on consumer privacy, beginning December 7. These discussions will explore many issues, including consumer information collection, information management practices, new business practices, and the adequacy of existing privacy laws. Roundtable participants will include individuals from a wide range of related fields, including privacy and technology experts. The meetings are open and public comments are encouraged. EPIC has supported the FTC's privacy mission, but has also said that the agency needs to do a lot more to safeguard consumer privacy. For more information, see EPIC FTC page. (Sep. 16, 2009)

EPIC Urges Appeals Court to Protect Prescription DataEPIC filed a friend of the court brief in the Court of Appeals for the Second Circuit today, urging the judges to uphold a Vermont law that regulates companies that sell or use prescriber-identifiable data for marketing. Several data-mining companies challenged the law after it was upheld by a district court. EPIC's amicus brief supports the district court's conclusion. The EPIC brief argues that Vermont has a substantial state interest in privacy protection and that the data miners' de-identification practices do not, in fact, protect patient privacy. For more, see IMS Health v. Sorrell and EPIC Medical Privacy. (Sep. 15, 2009)

California Moves to Strengthen Data Breach LawThe California State Legislature passed S.B. 20, a bill that would improve California's current security breach notification law. Senator Joe Simitiansaid S.B. 20 "is designed to make a good law better." Under current California law, a company that loses unencrypted personal information must notify affected consumers of the security breach. If signed by Governor Schwarzenegger, S.B. 20 would require that notifications include information that helps consumers safeguard their privacy. The bill is one more example of the many state efforts to address the growing problem of security breaches. In May, EPIC testified in Congress on the need to improve security breach notification. (Sep. 15, 2009)

The European Privacy Seal (EuroPriSe) has been awarded to two privacy services, following a review by privacy experts and an independent body. The first EuroPriSe was awarded to German company nugg.ad's Predictive Targeting Networking service, an online advertising service that follows principles of data avoidance and minimization by not maintaining multi-website tracking profiles, deleting IP address records, and offering a blocking cookie for users to opt out. The second certification was awarded to Austrian company Kiwi Security's KiwiVision Privacy Protector, a software module that performs real-time anonymization of video data by obfuscating faces, license plates, and other identifying imagery. For more on Privacy Enhancing Technologies, see EPIC Practical Privacy Tools.

(Sep. 11, 2009)

New Report on Government Secrecy ReleasedThe 2009 Secrecy Report Card, from Openthegovernment.org, chronicles slight decreases in government secrecy during the last year of the Bush-Cheney Administration. The report, released by a coalition of more than 70 open government advocates, also provides an overview of the Obama Administration’s proposed transparency policies. Among the issues discussed are the Open Government Directive, Classified Information, the Freedom of Information Act (FOIA) memo, signing statements, and the state secrets doctrine. For more on open government and transparency, see EPIC Open Government. (Sep. 11, 2009)

White House Announces New Transparency Policy for Visitor LogsToday the White House announced a new policy to release the records of White House visitors, an initiative that is intended to promote open government. The White House will release information on all individuals who come to the White House for an appointment, a tour, or to conduct official business, with certain exceptions for confidential or particularly sensitive meetings. The White House agreed not to release visitors' personal information, such as dates of birth, social security numbers, or contact phone numbers. However, the White House will release the names of tourists and other visitors who are not meeting with government officials, which raises privacy questions. For more information, see EPIC's Open Government page. (Sep. 4, 2009)

Federal Trade Commission Issues Statements on Google Books Settlement and PrivacyWith the Google Books Settlement now under consideration in federal
court, FTC Chairman John Liebowitz today issued a statement, calling attention to privacy concerns and the vast amount of consumer information that could be collected. The Chairman expressed the Commission's commitment to evaluating the privacy
issues presented by Google Books, a sentiment that was echoed by
Commissioner Pamela Jones Harbour in her statement. In a separate letter, FTC Consumer Protection Director David C. Vladeck urged Google to address consumer privacy concerns and to limit the secondary use of user data. For more information, see EPIC Google Books Settlement and Privacy. (Sep. 4, 2009)

Administration Will Require E-Verify for All Federal ContractorsThe Obama Administration announced that it is moving forward with a plan to require all federal government contractors and subcontractors to verify a employment eligibility with the federal government. The program known as E-Verify is run by the Department of Homeland Security. E-Verify operated as a voluntary employment verification system, and served about 3,000 employers. In 2007, EPIC testified in Congress that the employment eligibility database is filled with errors and warned that determination errors are likely. The Administration also said it would rescind the use of the "No Match" requirement. See EPIC E-Verify. (Jul. 10, 2009)

Supreme Court: Strip-Search of Teenager Violated Constitutional Rights The Supreme Court delivered a 8-1 opinion ruling that a
strip-search of a thirteen-year-old girl by school officials
looking for an ibuprofen tablet violated the Fourth Amendment.
Justice Souter writing for the Court held that the search was
unreasonable and that school searches are permissible when they are
"not excessively intrusive in light of the age and sex of the
student and the nature of the infraction." But a majority of the
Justices also said that the school officials were not liable for
damages because it had not been "clearly established" that the
search was unlawful. Justices Stevens and Ginsburg disagreed and
said that a previous Supreme Court case made clear that the search
was "excessively intrusive." Justice Thomas wrote in dissent that
the search was permissible. See also EPIC's page on Student
Privacy. (Jun. 25, 2009)

TSA Responds to Whole Body Imaging ObjectionsThe Transportation Security Administration has replied to the Privacy Coalition statement on whole body imaging systems. The agency claims that the Privacy Impact Assessment (PIA) provides adequate protection. The Privacy Coalition letter pointed out that "the devices are designed to capture, record, and store detailed images of individuals undressed" and said that "If the public understood this, they would be outraged by the use of these devices by the US government on US citizens." The Privacy Coalition said that the use of the devices should be suspended pending an investigation. The letter was prompted by the TSA's announcement that Whole Body Imaging would replace metal detectors as the primary screening technique at US airports. The House of Representatives recently passed legislation that would establish clear privacy safeguards for the devices. See also EPIC's page on Whole Body Imaging. (Jun. 23, 2009)

Airport Security Program Closes Operations - What Happens to the Data?Verified Identity Pass, a company that provided the Registered
Traveler program, under the brand name "Clear" shut down operation on June 22, 2009 citing inability to "negotiate an agreement with its senior creditor." The Clear program provided travelers who had undergone an extensive background check to go through special security lines at airports. The screening process
required extensive data collection, including biometric identifiers, from passengers. The closure raises concern about the transfer of the customer data, which may be attached by creditors in a bankruptcy proceeding. Clear's Privacy Policy is silent on the
issue. At a 2005 Congressional hearing, EPIC warned that the absence of Privacy Act safeguards would post a security risk to Clear customers. See also EPIC's page on Registered Traveler
Card. (Jun. 23, 2009)

EPIC Urges Comprehensive Strategy for ID Theft With ID theft rapidly increasing in the United States, EPIC Executive Director Marc Rotenberg today urged a Congressional Committee to address the root causes of the problem. In testimony before the House Oversight Committee, Mr. Rotenberg said that the government typically acts only after the crime has occurred and warned that the problem will get worse if current trends continue. EPIC recommended a comprehensive strategy for ID Theft that would include: (1) Establishing privacy safeguards for web 2.0 services; (2) Ensuring privacy protections for outsourcing; (3) Enacting comprehensive privacy legislation; (4) Making privacy protection a focal point of cybersecurity policy; and (5) Developing better techniques for Identity Management. See EPIC pages on Identity Theft. (Jun. 17, 2009)

European Advisory Group Issues Opinion on Social Networking The European expert group on data protection and privacy issued a guidance to Social Network Service providers on measures needed to ensure compliance with EU law. The key concern of the group is the dissemination and use of information available on such networks for secondary, unintended purposes. The opinion recommended robust security and privacy-friendly default settings. Topics included processing of sensitive data and images, advertising and direct marketing, and
data retention. In January, EPIC suggested regulation of Social Network Service partners, including advertisers and application developers. See EPIC's Page on Social Networking Privacy. (Jun. 17, 2009)

Obama Administration Recommends that Supreme Court Preserve California Financial Privacy Law, Dismiss Bankers' AppealIn a filing this week, the Department of Justice urged the nation's highest court to leave intact California's financial privacy law, saying the law does not impose hardships on banks. The California law provides strong financial privacy safeguards, including the right to curtail sale of personal information by financial firms to affiliated companies, and
to bar the sale of data to non-affiliates unless consumers explicitly "opt-in." A consortium of financial services companies have challenged the law and, in December 2008, asked the Supreme Court to consider the case. The firms argued that the California statute conflicts with other federal rules. The Supreme Court requested the Administration's view on the case, and has often followed the Department's opinions. Earlier in
the litigation, EPIC urged a federal appeals court to uphold the California privacy law. For more information, see EPIC's ABA v. Brown and Privacy and Preemption Watch pages.
(Jun. 5, 2009)

FBI's Use of FISA IncreasingIn a report to Congress, the Justice Department revealed a substantial increase in the use of National Security Letters to acquire information on American citizens without court order. In 2008, the FBI made 24,744 NSL requests pertaining to 7,225 persons compared to 16,804 requests pertaining to 4,327 persons in 2007. The report also detailed 2,082 applications by the FBI to the Foreign Intelligence Surveillance Court for authority to conduct surveillance and physical searches. An earlier audit had revealed that some "blanket-NSLs" did not document the relevance of the information sought to a national security investigation and the statistics were not reported to the Congress. For more information, see EPIC's Page on Foreign Intelligence Surveillance Act, National Security Letters, and Wiretapping. (May. 20, 2009)

EPIC Launches Campaign to Suspend 'Whole Body Imaging' at Nation's AirportsEPIC announced a national campaign today to suspend the use of "Whole Body Imaging" -- devices that photograph American air travellers stripped naked in US airports. The campaign responds to a policy reversal by the TSA which would now make the the "virtual strip search" mandatory, instead of voluntary as originally announced. EPIC and others say that there are inadequate safeguards to prevent the misuse of the images. They are asking Homeland Security Secretary Janet Napolitano to suspend the program and to allow for public comment. For more information, see EPIC's Backscatter X-ray, Whole Body Imaging page. (May. 18, 2009)

State Courts Split on Warrantless GPS Tracking Today, the New York Court of Appeals ruled that police must obtain a warrant before installing GPS tracking devices on individuals' vehicles. The decision prohibits law enforcement from secretly using GPS trackers to compile comprehensive travel histories on citizens without a warrant. The case follows last week's Wisconsin Appeals Court decision authorizing warrantless GPS surveillance by police. Other states have split on the application of a warrant requirement. On April 20, 2009, EPIC filed a brief in Commonwealth v. Connolly, urging the Massachusetts Supreme Judicial Court to require a warrant before police track drivers using concealed surveillance technology. The EPIC brief warned that warrantless GPS tracking "raises the specter of mass, pervasive surveillance without any predicate act that would justify this activity." For more information see EPIC's Commonwealth v. Connolly page. (May. 12, 2009)

Justice Department Restores Antitrust EnforcementSpeaking at the Center for American Progress, Assistant Attorney General Christine Varney announced that the Antitrust Division will be "aggressively pursuing cases where monopolists try to use their dominance in the marketplace to stifle competition and harm consumers." Ms. Varney withdrew a 2008 Department report on monopolization offenses that generally allows monopoly practices to go unchallenged. In 2007, EPIC objected to the merger of Internet advertisers Google and Doubleclick, arguing that it was vital to impose privacy safeguards and to preserve a advertising options for web publishers. More information, see EPIC, "Privacy? Proposed Google/Doubleclick Deal." (May. 11, 2009)

EPIC Testifies Before Congress on Data Breach Bill, Urges Changes to Strengthen ActEPIC Director Marc Rotenberg testified before Congress on the Data Accountability and Trust Act, which would require security policies for consumer information, regulate the information broker industry, and establish a national breach notification law. Rotenberg said "companies need to know that they will be expected to protect the data they collect and that, when they fail to do so, there will be consequences." The EPIC Director opposed the preemption of stronger state laws, and recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that "identifies or could identify a particular person." To learn more about Identity Theft, see EPIC's Identity Theft page. (May. 5, 2009)

For Identity Theft Law, Supreme Court Rules that the Government Must Prove Intent to ImpersonateIn a critical case for the emerging field of identity management, the Supreme Court today reversed a lower court opinion and ruled unanimously in favor of the petitioner. The Court held that individuals who provide identification numbers that are not their own, but don’t intentionally impersonate others, cannot be subject to harsh criminal punishments under federal law. The case involved a mandatory 2-year prison term, added on to a prior conviction, for presenting a fake Social Security Number to an employer. EPIC filed an amicus brief in support of the petitioner, arguing that the "unknowing use of inaccurate credentials does not constitute identity theft." For more information, see EPIC, Flores-Figueroa v. United States. (May. 4, 2009)

EPIC Urges Greater Accountability for Network SurveillanceToday, EPIC asked Senator Patrick Leahy to investigate the Department of Justice's failure to make public statistics detailing federal use of "pen registers" and "trap and trace" devices, which record "non-content" information about telephone calls, email and web traffic. In a letter to the Chairman of the Senate Judiciary Committee, EPIC observed that the Attorney General is required to provide to Congress detailed statistics concerning the use of these techniques. Yet, "the DOJ does not publicly disclose pen register reports as a matter of course." EPIC also raised questions regarding the agency's compliance with reporting requirements for the period 2004-2008. The lack of public accountability for these network monitoring techniques contrasts with the U.S. Courts' routine public reporting of federal wiretaps, EPIC said. The Courts released the most recent wiretap report on April 27, 2009. For more information, see EPIC's Wiretapping page. (Apr. 29, 2009)

Privacy and Consumer Groups Seek New FTC CommissionerEPIC joined other privacy and consumer organizations on a letter to President Obama urging the appointment of a pro-consumer Commissioner to the Federal Trade Commission (FTC). The groups called for the appointment of someone with a “distinguished record of achievement in consumer affairs, with a demonstrated commitment to protecting the public.” The Commission has been one person short of its full membership since former Chair Deborah Platt Majoras left the agency last year. The President appointed Jon Leibowitz to serve as the current chair of the FTC. For more information, see EPIC’s page on the Federal Trade Commission. (Apr. 27, 2009)

EPIC Urges Congress to Act on Internet PrivacyIn testimony before a Congressional Committee, EPIC Director Marc Rotenberg urged lawmakers to address the growing threat to online privacy of new tracking techniques. Mr. Rotenberg said, "From the user perspective, the threats to privacy online are increasing. Unregulated data collection continues. Privacy policies are opaque and ineffective. Users are unable to exercise any meaningful control over the personal information that is obtained by firms when they visit sites, purchase online, or participate in the rapidly growing world of social networking." EPIC warned that these practices also pose a threat to technical standards that are necessary to protect network integrity, as well as the revenue of web publishers. For more information, see EPIC's page on Deep Packet Inspection and NCTA v. FCC. (Apr. 23, 2009)

Supreme Court Hears Case on Strip-Search of Young Student by Schools Officials Looking for AdvilThe Supreme Courtheard a case involving a traumatic strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet. The search was conducted based on allegation by another student, who had been caught with drugs. A federal appelate court held that the search of the student was unreasonable and that a school official could be liable for violating the girl's Fourth Amendment rights. The school appealed to the Supreme Court and argued that the search was reasonable and the school official had qualified immunity. The respondent student replied that the search was highly invasive and the official should be held responsible. See also EPIC's page on Student Privacy. (Apr. 21, 2009)

European Commission Seeks to Protect Internet PrivacyFollowing complaints about Phorm's Deep Packet Inspection Technology with UK internet service providers, the European Commission has opened a formal investigation. The EU e-Privacy and Data Protection Directives protect the confidentiality of communications by prohibiting interception and surveillance without the user's consent. Deep Packet Inspection allows internet service providers to intercept virtually all customers' Internet activity, including web surfing data and other Internet related activities. The Commission charges that the UK government could not permit this activity under European Union privacy law. In the US, Congressional leaders also objected to Deep Packet Inspection. For more information, see EPIC's page on Deep Packet Inspection and Privacy and Human Rights Report. (Apr. 14, 2009)

Federal Trade Commission to Review EPIC Cloud Computing ComplaintThe Federal Trade Commission will review EPIC's March 17, 2009 complaint, which describes Google's unfair and deceptive business practices concerning the firm's Cloud Computing Services. EPIC's complaint describes numerous data breaches involving user-generated information stored by Google, including the recently reported breach of Google Docs. EPIC's complaint "raises a number of concerns about the privacy and security of information collected from consumers online," federal regulators said. EPIC urged the Commission to take "such measures as are necessary" to ensure the safety and security of information submitted to Google. Previous EPIC complaints have led the Commission to order Microsoft to revise the security standards for Passport and to require Choicepoint to change its business practices and pay $15 m in fines. For more information, see EPIC's complaint to the FTC. EPIC's Cloud Computing Page. (Mar. 19, 2009)

Attorney General Issues New FOIA GuidelinesThe Attorney General today set outnew Freedom of Information guidelines pursuant to President Obama's memorandum directing all executive branch departments and agencies to maintain a presumption of openness in releasing information requested from them. In the memorandum, the Attorney General strongly encouraged agencies to make discretionary disclosures of information to the fullest extent possible. Rescinding the FOIA Memorandum of October 12, 2001, the Attorney General stated that the Justice Department will defend a FOIA request only if the disclosure would harm an interest protected by a statutory exemption or its disclosure is prohibited by law. The memorandum also directs that each agency is fully accountable for its administration of FOIA and should be mindful of their obligation to work "in a spirit of cooperation." For more information, see EPIC's Open Government page. (Mar. 19, 2009)

EPIC Celebrates Sunshine WeekOpen government and media organizations throughout the country are celebrating Sunshine Week by highlighting the importance of government transparency. EPIC publishes the most comprehensive up-to-date manual on federal open government law. EPIC is pursuing Freedom of Information Act litigation to obtain government memos describing the legal basis for the warrantless wiretapping of American citizens by the Bush Administration. To learn more about your right to access government information, see EPIC's Open Government page and Litigation Under the Federal Open Government Laws 2008. (Mar. 17, 2009)

Cybersecurity Czar Steps Down, Warns of Growing NSA InfluenceRod Beckstrom, Director of the National Cybersecurity Center, has resigned. In a letter to Homeland Security Secretary Janet Napolitano, Beckstrom warned of the increasing role of the National Security Agency in domestic security. The "intelligence culture is very different than a network operation or security culture... the threats to our democratic processes are significant if all top government network and monitoring are handled by any one organization... we have been unwilling to subjugate the NSCS under the NSA," wrote the former NCSC Director. The announcement follows Congressional testimony from the new Director of National Intelligence that the NSA should be responsible for network security. EPIC has long maintained that the NSA, though it plays a vital role in gathering foreign intelligence, should not be the lead agency for domestic network security because it also engages in extensive and unregulated spying. See EPIC Computer Security Act of 1987. (Mar. 9, 2009)

American Recovery Act Includes Strong Medical Information SafeguardsPresident Obama signed the American Recovery & Reinvestment Act, which includes comprehensive safeguards for medical information. The Act prohibits the unauthorized sale of medical records and provides exceptions for research, public health and treatment. The Act also limits marketing, requires covered entities and business associates to keep an audit trail of personnel having access to the information, mandates policies setting standards for technology systems to restrict sensitive information, use data encryption and directs breach notifications. The new law prescribes monetary penalties for violations and requires monitoring of contracts and reporting on compliance. Patient Privacy Rights led the campaign for strong medical privacy protection. For more information, see EPIC's page on Medical Privacy. (Feb. 18, 2009)

Privacy Problems Plague New White House Web SiteWhile the public responded very favorably to the announcements this week from President Barack Obama, problems with the privacy practices of the new White House web site where the President's statements are posted emerged. One columnist noted a tracking feature associated with YouTube that violated a long-standing rule to limit the use of persistent cookies in the federal government. A second columnist, who noted a similar problem with YouTube and Congressional offices, said that subsequent changes to the White House privacy policy failed to resolve the problem. In posts to the Interesting People list, several other experts identified privacy related problems with the White House site. For general information about cookies and tracking, see EPIC's Cookies page. (Jan. 24, 2009)

President Obama Issues New Orders on FOIAIn his first 24 hours in Office, President Obama issued a series of Executive Orders. One of the Orders dealt with the Freedom of Information Act (FOIA) activity of federal government agencies. He stated that prior FOIA rules were governed by a "defensible argument" for not disclosing information to the public. The President said that, "Starting today, every agency and department should know that his administration stands on the side, not of those who seek to withhold information, but with those who seek to make it known." In other initiatives President Obama issued a suspension of legal proceedings against detainees being held in Guantanamo Bay. For more information, see EPIC's page on Former Secrets. (Jan. 21, 2009)

Supreme Court Refuses to Hear Internet Censorship AppealThe Supreme Court denied the last appeal of the Government from an Appeals Court decision that turned down the enforcement of the Child Online Protection Act (COPA). COPA establishes criminal penalties for any online commercial distribution of material harmful to minors. The Appeals Court held COPA unconstitutional on the ground that COPA made every web communication provider abide by the most restrictive community's standards." EPIC had challenged the implementation of COPA over ten years ago and had been fighting the case along with the ACLU and the EFF. EPIC argued that COPA violated the First Amendment as well as privacy of the individual on the internet. For more information, see EPIC's page on ACLU v. Mukasey. (Jan. 21, 2009)

Federal Intelligence Court Rules Warrantless Wiretapping LegalThe Foreign Intelligence Surveillance Court of Review has ordered the release of a redacted opinion. The federal intelligence court ruled in August, 2008 that warrantless wiretapping of international phone calls and the interception of e-mail messages were permissible. Giving support to the Protect America Act, the Court found that "foreign intelligence surveillance possesses characteristics that qualify" for an exception in the interest of "national security". For more information, see EPIC's page on Foreign Intelligence Surveillance Act. (Jan. 15, 2009)